---
id: openid-connect-dynamic-client-registration
title: OpenID Connect Dynamic Client Registration
---

Ory Hydra is capable of exposing

- [OpenID Connect Dynamic Client Registration](https://openid.net/specs/openid-connect-registration-1_0.html)
- [OAuth 2.0 Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591)
- [OAuth 2.0 Dynamic Client Registration Management Protocol](https://datatracker.ietf.org/doc/html/rfc7592)

endpoints and capabilities. This feature allows third parties to create OAuth2
Clients in self-service, without administrative privileges. The feature is
disabled by default!

This is particularly useful if you are running a public service and want users
to be able to create their own OAuth2 clients easily.

To enable this feature, set the following configuration option:

```yaml
oidc:
  dynamic_client_registration:
    enabled: true
```

Enabling this feature will add listeners to the following four routes at the
public endpoint:

- `POST /openid/register` - Register a new OAuth2 Client;
- `GET /openid/register/<client_id>` - Fetch the OAuth2 Client;
- `PUT /openid/register/<client_id>` - Update the OAuth2 Client;
- `DELETE /openid/register/<client_id>` - Delete the OAuth2 Client;

## Register OAuth2 & OpenID Connect Clients

If OpenID Connect Dynamic Client Registration is enabled, registering a new
OAuth2 Client is as simple as:

```
POST /openid/register
Content-Type: application/json

{
  "client_id": "...",
  "registration_access_token": "...",
  ...
}
```

:::note

The `registration_access_token` will only be sent once! You need to store this
token in a secure location. This token will be used to update the OAuth2 Client.

:::

Please note that it is not possible to set OAuth2 Client Metadata, the OAuth2
Client ID nor the OAuth2 Client Secret using this endpoint. This ensure that
third parties follow the strict security guidlines of the system.

The metadata field is protected and privileged and can only be set using the
administrative endpoint! OAuth2 Client Metadata can also not be read using
OpenID Connect Dynamic Client Registration endpoints!

## Manage OAuth2 & OpenID Connect Clients

The `POST` endpoint requires the client to authenticate with the
`registration_access_token` regardless of the `token_endpoint_auth_method`. It
can be used to update the OAuth2 Client.

```
PUT /openid/register/{client_id}
Authorization: Bearer <registration_access_token>
Content-Type: application/json

{
  "redirect_uris": [...]
  ...
}
```

The response will include the updated OAuth2 Client.

:::note

When updating the OAuth2 Client, the server will respond with a new registration
access token. The old one will become invalid!

:::

```
{
  "client_id": "...",
  "registration_access_token": "..."
  ...
}
```

## Get OAuth2 & OpenID Connect Clients

The `GET` endpoint requires the client to authenticate with the
`registration_access_token` regardless of the `token_endpoint_auth_method`. It
can be used to retrieve the OAuth2 Client.

```
GET /openid/register/{client_id}
Authorization: Bearer <registration_access_token>
Content-Type: application/json

{
  "redirect_uris": [...]
  ...
}
```

## Delete OAuth2 & OpenID Connect Clients

The `DELETE` endpoint requires the client to authenticate with the
`registration_access_token` regardless of the `token_endpoint_auth_method`. It
can be used to delete the OAuth2 Client.

```
DELETE /openid/register/{client_id}
Authorization: Bearer <registration_access_token>
```
